Scribd Logo
Upload

Welcome to Scribd!

  • w3 w3-4 Limits

    Uploaded by

    2013scribd001
    12 views13 pages
    limits

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    limits

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views13 pages

    w3 w3-4 Limits

    Uploaded by

    2013scribd001
    limits

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Malicious Software and its Underground Economy

    Two Sides to Every Story

    (a glimpse at) Limits of Dynamic Analysis


    Lorenzo Cavallaro
    Information Security Group Royal Holloway, University of London

    Jul 1, 2013Week 3-4

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    1/9

    Limitations of sandboxes

    Only the behaviors associated to the taken paths can be monitored Forced multi-path exploration Assumption: the behavior of the program depends on the output of the syscalls it executes Track dependencies between syscalls output and program variables Detect untaken paths and force the execution of these paths by computing new program states that satisfy the path conditions
    http://www.ecsl.cs.sunysb.edu/tr/TR238.pdf http://www.iseclab.org/papers/explore.pdf

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    2/9

    Limitations of sandboxes

    Only the behaviors associated to the taken paths can be monitored Forced multi-path exploration Assumption: the behavior of the program depends on the output of the syscalls it executes Track dependencies between syscalls output and program variables Detect untaken paths and force the execution of these paths by computing new program states that satisfy the path conditions
    http://www.ecsl.cs.sunysb.edu/tr/TR238.pdf http://www.iseclab.org/papers/explore.pdf

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    2/9

    Limitations of sandboxes
    Conditional Code Obfuscation

    Historically, encryption, polymorphism and other obfuscation schemes have been primarily employed to thwart anti-virus tools and static analysis based approaches. Dynamic analysis based approaches inherently overcome all anti-static analysis obfuscations, but they only observe a single execution path. Malware can exploit this limitation by employing trigger-based behaviors such as time-bombs, logic-bombs, bot-command inputs, and testing the presence of analyzers, to hide its intended behavior.

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    3/9

    Limitations of sandboxes
    Conditional Code Obfuscation

    Recent analyzers provide a powerful way to discover trigger based malicious behavior in arbitrary malicious programs
    Exploration of multiple paths during execution of a malware

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    4/9

    Limitations of sandboxes (dynamic analysis)


    Conditional Code Obfuscation

    Figure : General obfuscation mechanism.

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    5/9

    Limitations of sandboxes
    Conditional Code Obfuscation

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    6/9

    Limitations of sandboxes
    Conditional Code Obfuscation

    Malware Slapper worm (P2P Engine) Slapper worm (Backdoor) BotNET (An IRC Botnet Server) passwd rookit login rootkit top rootkit chsh rootkit

    M. triggers 28 1 52 2 3 2 4

    Strong 1 52 2 2 2

    Med. 28 -

    Weak 2

    None 1 2 -

    Table : Evaluation of the obfuscation scheme on automatically concealing malicious triggers.

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    7/9

    Conditional Code Obfuscation: Analyzer Improvements

    First, analyzers may be equipped with decryptor to reduce the search space of keys by taking the input domain into account. Another approach can be to move more towards input-aware analysis. Rather than capturing binaries only, collection mechanisms should capture interaction the binary with its environment if possible. In case of bots, having related network traces. Existing honeypots already have the capability to capture network activity. Recording system interaction can provide more information about the inputs required by the binary.

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    8/9

    Conditional Code Obfuscation: Analyzer Improvements

    First, analyzers may be equipped with decryptor to reduce the search space of keys by taking the inputKruegel, domain and into account. Andreas Moser, Christopher Engin Kirda, Exploring
    Multiple Execution formore Malware Analysis , Proceedings of Another approach can be Paths to move towards input-aware analysis. the 2007 IEEE Symposium on Security and Privacy, 2007 Rather than capturing binaries only, collection mechanisms should Monirul Sharif, Andrea Lanzi, Gin and Lee, capture interaction the binary withJonathon its environment if Wenke possible. In case Impeding Malware Analysis Using Conditional Code of bots, having related network traces.

    Existing honeypots already have Symposium the capability to capture network Distributed System Security (NDSS08) , 2008 activity. Recording system interaction can provide more information about the inputs required by the binary.

    Obfuscation, In the Proceedings of the 15th Annual Network and

    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL)

    Malware and its Underground Economy

    Jul 1, 2013Week 3-4

    8/9

    Detecting sandboxes
    Red-pill A program capable of detecting if it is executed in an emulator

    CPU
    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy

    EMU
    Jul 1, 2013Week 3-4 9/9

    http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf

    Detecting sandboxes
    Red-pill A program capable of detecting if it is executed in an emulator

    void main() { redpill = \x08\x7c\xe3\x04...; if (((void (*)())redpill)()) { // Executed on physical CPU return CPU; } else { // Executed on emulated CPU return EMU; } }
    http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9/9

    Detecting sandboxes
    Red-pill A program capable of detecting if it is executed in an emulator Some numbers. . .
    BOCHS Pin Valgrind QEMU
    50 100 150 200 250 300 350 400 450 500 550

    State dierences:

    http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
    (Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9/9

    You might also like